Open source code libraries have a significant number of security vulnerabilities, according to an Aspect Security study that analyzed 113 million software downloads from Sonatype's Central Repository of more than 30 Java frameworks and security libraries over the previous 12 months.
The researchers found that 26 percent of the library downloads had known security flaws, including flaws that existed in Spring, an application development framework for Java. The vulnerabilities, which existed in Spring's use of Expression Language, could be exploited by attackers using HTTP parameter submissions to obtain sensitive system data as well as application and user cookies. Other vulnerabilities varied from flaws that could be used to completely take over the host using the library to flaws that could result in the loss or corruption of data if attacked. In addition, the researchers found that the most popular vulnerable open source libraries were Google Web Toolkit, Apache Xerces, Spring MVC, and Struts 1.x.
The study noted that developers do not currently have any means for knowing whether or not the open source libraries they use contain vulnerabilities, aside from closely watching mailing lists, blogs, and online forums.
From Network World
View Full Article
Abstracts Copyright © 2012 Information Inc. , Bethesda, Maryland, USA